how secure are php codes/scripts when they are deployed in a server (or when they become online)? if i put constants and/or passwords in my php codes, will they be visible and be 'sitting duck' targets for hackers?
Your script can be as secure or insecure as you want.
Generally, the end user would not see constants or any of the actual code as this is executed on the server. All the end user should see is the output of any functions in your script.
If you are worried that a function may output some important data, use an @ symbol before it to suppress the standard errors: @mysql_connect("...", "...", "...");
Or better, add error handling into your code to make sure that if an error occurs then you have a specific response for it.
Also, make sure that you never send unencrypted passwords via GET as they will be visible in the URL. There are also hacking tools which allow the retrieval of POST data, so watch out for that too.
Also, make sure that you never send unencrypted passwords via GET as they will be visible in the URL. There are also hacking tools which allow the retrieval of POST data, so watch out for that too.
Even better yet, use javascript to encrypt the passwords before sending it over $_POST. This way if the post data is hacked the data is still encrypted. This sort of hack attack can happen when a hacker attaches a device to a fiberoptic cable to scan data running past. Also as a security question, is there any security difference between the following two codes because a tutorial years ago told me there was but find hard to believe.
Those are the two scripts but the tutorial (I forget where) says the second script should be more secure although I don't see how. And it was also said in the tutorial that it would be even more secure to place the variables in an include() file. Is that true or just a myth?
Even better yet, use javascript to encrypt the passwords before sending it over $_POST. This way if the post data is hacked the data is still encrypted. This sort of hack attack can happen when a hacker attaches a device to a fiberoptic cable to scan data running past. Also as a security question, is there any security difference between the following two codes because a tutorial years ago told me there was but find hard to believe.
Those are the two scripts but the tutorial (I forget where) says the second script should be more secure although I don't see how. And it was also said in the tutorial that it would be even more secure to place the variables in an include() file. Is that true or just a myth?
Very true. All sensitive data should be stored above the web root. Along with classes and other functions. Think if something happened to the server and it stopped parsing php and your code was presented in plain text. If everything is where the user can't get to it there is no way they can look through it.
Also,
Passwords should always be hashed, no matter what.
If you are sending info that you wouldn't want intercepted you should be on a secure connection (https) using a ssl certificate. The day rsa keys are able to be decoded is the day the world collapses.
The company I work for forces us to use ssl for user login, members areas and registrations. You should do the same, if you can afford it.
If you are wanting to store credit card info or ssn numbers, don't. If you must then you will need a virtual private server and heavy encryption. There are laws for this stuff.
Even better yet, use javascript to encrypt the passwords before sending it over $_POST. This way if the post data is hacked the data is still encrypted. This sort of hack attack can happen when a hacker attaches a device to a fiberoptic cable to scan data running past. Also as a security question, is there any security difference between the following two codes because a tutorial years ago told me there was but find hard to believe.
Those are the two scripts but the tutorial (I forget where) says the second script should be more secure although I don't see how. And it was also said in the tutorial that it would be even more secure to place the variables in an include() file. Is that true or just a myth?
Using JavaScript to encrypt passwords is not something I'd recommend. Anything that is client side can be bypassed. An attacker sniffing the network can modify the HTTP request response to their benefit.
Quote ...
Very true. All sensitive data should be stored above the web root.
I think you meant below the web root?
It is very useful to practice this. Not just to remove the possibility of the HTTP server accidentally serving the file as text, but also to disable remote access of the PHP files in an order not intended.
Imagine having an index.php where you want all requests to be made. Then you have page2.php
On this page you have some variables that should have already been defined. If page2.php was accessed directly from the web, instead of through index.php then you have unintended behavior.
Using JavaScript to encrypt passwords is not something I'd recommend.
Well I think you mis-understood exactly what I meant. The process I was refering to was that javascript encodes the data first then php decodes it then php re-encodes the data.
Quote ...
I think you meant below the web root?
No because this way the user cannot access the file when apache is displaying the php code instead of html code. A rare problem but does happen. An example of including the files from above the web root:
Well I think you mis-understood exactly what I meant. The process I was refering to was that javascript encodes the data first then php decodes it then php re-encodes the data.
I would agree with digital-ether on this.
I always browse in Firefox with NoScript enabled (which means JavaScript is disabled for untrusted or unknown sites)
Lets say I visit your site with Javascript off, I enter a password which is not encoded before sending, meaning that your PHP script will get an unencoded password and will try to decode it.
Also, if you are encoding with JavaScript, an unfriendly user would be able to see exactly what you are doing and could reverse it anyway.
As a rule of thumb, I use JavaScript to make things 'pretty' after I have completed a project. I would never rely on JavaScript to handle even the smallest part of the security on any of my sites.
No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Offline 
Unsolved 
